Apple iPads/FAQ: Difference between revisions
No edit summary |
|||
Line 1: | Line 1: | ||
You may use Ctrl-f or Cmd-f to search on this page. This page is continuously updated as we identify new issues. | You may use Ctrl-f or Cmd-f to search on this page. This page is continuously updated as we identify new issues. | ||
[[Apple iPads/FAQ2]] | |||
== Workspace ONE Basics == | == Workspace ONE Basics == | ||
Latest revision as of 11:46, 13 August 2023
You may use Ctrl-f or Cmd-f to search on this page. This page is continuously updated as we identify new issues. Apple iPads/FAQ2
Workspace ONE Basics
I'm new to Workspace ONE. How can I learn more about it?
You can view a 58 minute video tutorial on using Workspace ONE that was recorded in September of 2020 here: https://vimeo.com/454498108.
Another training session was held in October of 2022: https://vimeo.com/765098366/fdf32e09cd.
How do I get an account to login to Worksapce ONE?
If you are just receiving iPads for the first time and you do not have a login account, please email ipads@desalesmedia.org and copy ctn@desalesmedia.org and your principal and we will create an account for you. If your school has had iPads, but someone else previously managed them, try to ask that person or your principal for the login credentials.
Can we have two people at our school with logins to Workspace ONE?
Yes. If multiple people at your school will be managing iPads, we recommend that each person have their own login account to Workspace ONE. Please email ipads@desalesmedia.org and copy ctn@desalesmedia.org and your principal and we will create an account for you.
I forgot my password to Workspace ONE.
Please email ipads@desalesmedia.org and be sure to let us know the username that you use to login to Workspace ONE.
What does it mean to "enroll" an iPad? What username and password should I use?
You enroll an iPad when you open the Hub app and login using the enrollment credentials. For most iPads, they are enrolled when they are initially deployed and their enrollment doesn't ever change. However, if you ever perform a Device Wipe, you will need to re-enroll the iPad.
Each school is assigned a four or five character abbreviation for their school name which is used in the enrollment account. For example, enrollment accounts for student iPads at Good Shepherd Catholic Academy are: GSCA-STUD001, GSCA-STUD002, GSCA-STUD003, etc. And teacher iPads are enrolled with accounts: GSCA-TEAC001, GSCA-TEAC002, GSCA-TEAC003, etc.
Each enrollment account can only be used to enroll one iPad. If you try to enroll an iPad using an account that has already been used to enroll another iPad, you will receive an error which states: "The Operation couldn't be completed." If you perform a Device Wipe on an iPad, that enrollment account is "released" and can be used to enroll that same iPad or a different iPad.
In Workspace ONE, I see an iPad with STAGING in the name. What does that mean?
The most likely reason for this is that someone did a factory reset (either by issuing the Device Wipe command from Workspace ONE or by choosing Reset All Content and Settings from the iPad under Settings, General, Reset) and did not re-enroll the iPad. As soon as you re-enroll the iPad, the name will change to the enrollment username.
What is the Hub app? How is it used?
The Hub (aka Intelligent Hub) app is one of two apps that are installed automatically the first time each iPad is powered on. The Hub app is used to enroll the iPad (which installs all other apps). The Hub app requires iOS version 12.2, so if you are running an older version of iOS, you should upgrade as soon as possible.
If you open the Hub app, you can see the enrollment account ID and also the date and time when the app last checked in with Workspace ONE (if you do not see that, tap the left-pointing-arrow in the upper left corner of the screen).
You can also use the Hub app to test connectivity to Workspace ONE by tapping on This Device and then tapping Send Data.
If you open the Hub app and it prompts you to enter a username and password (the enrollment credentials), but you do not know what to enter, send an email to ipads@desalesmedia.org and include the serial number of the iPad.
If you do not see the Hub app on an iPad, open Settings and look in the upper left corner. You should see a message like this:
If you do not see a message like that, this iPad was not provided by or managed by DeSales Media.
What is the Catalog app? How is it used?
The Catalog app is one of two apps that are installed automatically the first time each iPad is powered on. It shows each app which has been assigned to the iPad along with its installation status. Users can also manually install apps from the Catalog app if they are not automatically deployed from Workspace ONE.
The Catalog app is a useful troubleshooting tool when deploying apps, because if you are expecting an app to be deployed to an iPad, but you do not see it in the Catalog, then most likely the app is not deployed correctly. If you do see the app in the Catalog, but it is not installed on the iPad, it may be due to one of the following:
- Slow Internet bandwidth: recommended to connect to a Wi-Fi network with a fast and reliable Internet connection
- Lack of available storage space on the iPad: recommended to remove unneeded apps or media files
- Unsupported version of iOS: recommended to upgrade the iOS on the iPad
- Other reason which cannot be explained: recommended to perform a Device Wipe on the iPadThe information displayed in the Catalog app will be very similar to the information you see in Workspace ONE by navigating to Device List, clicking on the name of an iPad, then clicking on the Apps tab. The information might not match exactly, because Workspace ONE can sometimes show outdated information - this occurs when the status of an app or configuration changes on the iPad, but it has not updated Workspace ONE right away.
Is it possible for me to see what would display in the Catalog app on an iPad?
Yes. This will be available in the summer of 2021: http://172.16.20.17/fishbowl/catalog.php
What is an Organization Unit (OU)?
Workspace ONE uses a hierarchical structure for its configuration - similar to branches on a tree. Each school has an Organizational Unit (OU), which is like a container for its devices, Profiles, Smart Groups, and apps. Within each school's OU are sub-OUs for Students and Teachers. Some schools also have an OU for Chromebooks, but these were only created for testing; we ultimately decided not to use Workspace ONE to manage Chromebooks.
The administrator at each school has an account which has permissions to view everything within the school's OU and also within all sub-OUs. The administrator cannot view elements associated with other branch OUs or higher-level OUs, because they belong to other schools.
At the top level, is an OU for DeSales Media Group and at this level, there are Smart Groups, policies, and apps which are assigned to your school, but you do not have the ability to modify them. For example, in the image below, you can see two Assignment Groups which are managed at the DeSales Media Group level.
What is an Assignment Group? What is a Smart Group?
The primary purpose of an Assignment Group is to identify a group of devices to which an app or Profile will be assigned. There are two types of Assignment Groups: Smart Groups (membership is dynamic and varies based on elements of the device or user) and Organizational Units (membership is determined based on where the device exists in the OU structure.
To add, view, or modify Assignment Groups, login to Workspace ONE, click Groups & Settings (in the menu column on the left), click Groups, and then click Assignment Groups. You can create as many Smart Groups as you like for your school. A common use of Smart Groups it to create one group for each app that you deploy. You assign the app to the Smart Group and then you can add only the iPads to the Smart Group which need the app. This prevent you from having to deploy every app to every iPad and saves storage space on the iPads.
What is the Cisco Security Connector app?
It prevents anyone from accessing inappropriate content (pornography, gambling, hate speach, etc.) on the Internet - even if the user is trying to hide their activity through the use of encryption or a proxy server. It enforces security regardless of how or from where the iPad is connecting to the Internet. Although this is a very good security tool, a creative and determined individual could potentially find a way around it.
When I open the Hub app, it prompts me to enter an Email Address or Server or to scan a QR Code.
This happens when the iPad has become deprovisioned from Workspace ONE. Typically, the only way to resolve this issue is to wipe and re-enroll the iPad. Because it has lost its ability to communicate with Workspace ONE, you must wipe it manually from the iPad.
From the Home Screen, tap Settings, then General, then Reset, and then choose Erase All Content and Settings. Once the iPad reboots, it will automatically install the Hub app and it will have re-established its communication to Workspace ONE, so you will be able to re-enroll the iPad.
Occationally, when the iPad is in this state, it will automatically begin a software update of several installed apps. You must wait until this software update completes before you can Erase All Content and Settings. The software update will complete faster if you connect the iPad to a Wi-Fi network.
If this doesn't resolve the issue, or if you do not see the option to Erase All Content and Settings in the Reset menu, then you will need to send an email to ipads@desalesmedia.org with the serial number and a description of the steps you have tried so far.
Workspace ONE Features
How can I reset the passcode on an iPad?
From Workspace ONE, click on Devices (in the menu on the left), click List View, click the name of the iPad, click More Actions (in the far upper right), under the heading Clear Passcode, choose Device.
When students try to use Google Classroom, they get a message saying they need to add a passcode to the iPad.
When trying to use Google Classroom, students may see a message which states "Your org requires you to set a passcode on this device...". There are two ways you could solve this problem: 1. Log into Google Admin and remove the requirement for a passcode. 2. Log into Workspace ONE and allow a passcode to be set on student iPads.
The downside to allowing students to set passcodes on their iPads is that inevitably, some students will forget their passcode and you will end up spending a lot of time resetting passcodes. The easier solution is to log into https://admin.google.com, click Device Management, Password Settings, and uncheck the box for Require Users to Set a Password.
What is a Profile? Can I modify it?
Profiles are used to enable or disable features or restrictions on an iPad (such as requiring a passcode or disabling the camera). Profiles are assigned to devices via Assignment Groups; multiple Profiles can be applied to an iPad.
If the Profiles have conflicting configurations associated with them, it can be difficult to troubleshoot why a device is behaving in a certain way. Therefore, in order to simplify things, we do not have any Profiles applied to devices from the top organizational level.
To view or modify Profiles, click Devices (from the navigation menu on the left) and click Profiles & Resources and then click Profiles. Each school has two Profiles by default: one for student iPads, and one for teacher iPads. The Profile's name includes the four or five character abbreviation for each school. For example, the Profile for the student iPads at Divine Mercy Catholic Academy is called DMCA - Student Profile - Restrictions (the name may be truncated depending on the size of your window). Click on the name of the Profile and then click the green "Restrictions" on the left side.
If you see at bottom at the bottom which says Add Version, then you should click it. You will not always see it. It may not be obvious, but you can scroll down in this window to view additional options. There are over 100 configurable options within the Restrictions section. If you have questions about how a particular restriction works, send an email to desales-grant-device-management@googlegroups.comm or you could just do a Google search and you will likely find some additional information.
If you modify a Restriction option, click Save And Publish and then click Publish. Workspace ONE will try to push this change out to all affected iPads, but it might not go into effect immediately on all iPads. From an iPad, you can force it to download an updated Profile by tapping on the Hub app, tapping This Device, and then Send Data (if you do not see This Device, then tap the left-pointing arrow in the upper left corner).
Is it possible to block users from accessing certain websites on the iPads?
Yes. But this feature has its limitations: you cannot block access during school hours and allow access after hours, you must manually enter each domain or URL, etc. Enabling this feature could easily lead to more problems that it is solving, but here are the steps to enable it:
- Login to Workspace ONE
- Click Devices (far left), then Profiles & Resources, and then click Profiles.
- Click the profile you want to modify; which is probably xxxx - Student Profile - Restrictions (where the xxxx is an abbreviation for your school).
- Click the Add Version button in the lower right corner of the window that opens (next to the Save & Publish button, but if you do not see a button labeled Add Version, that is fine; you can ignore this step)
- Click Content Filtering in the list on the left and then click Configure
- In the Filter Type dropdown menu, choose Built-in: Deny Websites
- In the blacklisted URLs box, enter the domain(s) and/or URL(s): "facebook.com instagram.com" (separate each with a new line, space, or comma).
- Click Save & Publish, then click Publish
- It should be applied within an hour to any iPad that is powered on and connected to the Internet; on any iPad, you can open the Hub app, tap This Device and then Send Data and that should apply it right away.
- Be sure to test it. You should see a message that says "Restricted Site".
Here is a link to documentation related to this feature: https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2008/iOS_Platform/GUID-740093C6-ED7F-45C6-8B7F-3C37866B8360.html.
What are Compliance Policies? What does it mean if an iPad is Not Compliant?
Most schools do not use them, but you could use them if you want to. You could optionally create a policy which says "All iPads must be at iOS version 13.0 or higher". Then as you look in the Device List, you could easily see which devices were Not Compliant. You could create multiple policies on any number of possible configuration, device, or user parameters.
If you would like to learn more about using them, either send an email to desales-grant-device-management@googlegroups.com or try doing a Google search on "How to use compliance policies for iPads in Workspace ONE".
What number or name should I use to uniquely identify each iPad?
There are three different numbers/names you could use, and depending on the purpose, you might want to you one or more.
- Serial Number: always 12 characters and a mix of letters and numbers. The first four characters will always be letters and the first two letters are almost always DM or GG. The only way to see the serial number on the iPad is to tap Settings, then General, and then About. The serial number is also laser etched on the back of the iPad, but it is VERY small and VERY difficult to read - and if there is a case on the iPad it will most likely be covered. You can search for a device by the serial number in Workspace ONE.
- Enrollment Name: this is the username that is logged into the Hub app on the iPad. This name was typically chosen by DeSales Media Group and we often use the format xxxx-STUD001 where the xxxx is a three or four letter abbreviation for the location or school. You cannot use an enrollment ID to login to more than one iPad, so every iPad will have its own enrollment ID, but the enrollment ID is not "fixed" to an iPad, so if you do a Device Wipe, you can then use any available enrollment ID to login (but you should always try to use the same one to avoid confusion.) We recommend that you use a label maker to print the enrollment ID and affix it to the front of the iPad, because this is the easiest way to identify an iPad in Workspace ONE. If you ever ask someone at DeSales Media for help troubleshooting something on an iPad, usually the first thing we need to know is the enrollment ID. If you do not know the enrollment ID of an iPad, just open the Hub app and you will see it at the top.
- Asset Tag: there will be a sticker on the back of all iPads which say "Property of DeSales Media ####-#####". We have used a few different formats over the years, but the first four characters are typically the year and there might be a letter in it also. The asset tag is unique to each iPad. You cannot find the asset tag anywhere in the iPad operating system or apps and you cannot search for it in Workspace ONE.
How can I set a background image on the Home Screen or the Lock Screen?
To set a Home Screen image or Lock Screen image, login to Workspace ONE and navigate to Groups & Settings (in the menu on the left), then choose All Settings. A new window will pop up and at the very top will be a drop-down box which probably has your school name by default; if you keep this setting, the image will be applied to all of your iPads. You could also optionally choose Student or Teacher to only have the image apply to those devices. You cannot have a different image on every iPad or a sub-set of iPads. Click Devices & Users (on the left), then click to expand Apple and then Apple iOS, and then click Managed Settings Requested.
Click the "Override" option next to Current Settings. In the Default Wallpaper section, check the box for "Corporate - Dedicated" (you can check the other three boxes too, but I don't think it is necessary). Ideally, you want to choose an image that is 1536 x 2048 pixels (otherwise the image will be automatically stretched or shrunk to that size) and the max size is 4MB.
Someone enabled Guided Access on an iPad; how do I disable it?
Guided Access is an accessibility feature that locks the iPad into using a single app and could also disable certain features in that app. When enabled, it prompts you to enter a passcode which will be used to unlock it - this is different from the passcode which unlocks the iPad after a period of inactivity (which is not enabled on Student iPads). Although you can clear the normal passcode from Workspace ONE, you cannot clear the Guided Access passcode from Workspace ONE. If you enable Guided Access, you cannot do a normal reboot of the iPad, but you can do a hard reset, by holding down the power and home buttons for five seconds. However, if you do a hard reset, when it reboots, it will automatically re-enable Guided Access.
If the person who enabled Guided Access forgets the passcode, the only option we have found is to do a Device Wipe or a Restore.
I also looked into trying to completely disable the Guided Access feature using a Policy in Workspace ONE, but apparently this is not supported.
Can I control the Home Screen Layout and put apps into folders?
Yes, by configuring the Home Screen Layout feature within a Profile. By default, each school has two profiles: one for Student iPads and one for Teacher iPads. The profile names each begin with the three or four character abbreviation of your school name. As an example, the profile names for Blessed Sacrament Catholic Academy are BSCA - Student Profile - Restrictions and BSCA - Teacher Profile - Restrictions.
You could create a new profile for the Home Screen Layout configurations, but it would be easier to add the configurations to either the existing Student or Teacher profile. If you wanted to apply different Home Screen Layout configurations to certain iPads, you would create a Smart Group for those iPads and then create a new Profile and assign the Profile to that Smart Group.
- Login to Workspace ONE.
- Click Devices (in the menu on the left), then click Profiles & Resources, and then click Profiles.
- Find the profile you want to modify and click its name.
- If you see a button in the lower right that says Add Version, then click that button.
- Scroll down the list on the left side and click Home Screen Layout and then click Configure.
- Add apps to the dock (the bottom row of apps on the Home Screen), add pages, and add folders as needed.
- Click the Save and Publish button in the lower left, then click Publish.
My school was given an Emergency Grant of iPads in 2020 during the Covid-19 pandemic. Can I modify Profiles or deploy apps to those iPads?
If you do not see the iPads in your school's Organization Unit (OU) in Workspace ONE, then you will not be able to modify Profiles or deploy apps to them. Send an email to ipads@desalesmedia.org and copy ctn@desalesmedia.org and request that we move your iPads into your school's OU.
How do I get an account to login to Apple School Manager?
If anyone at your school has ever logged into Apple School Manager before, then ask that person or your principal. If no one at your school has ever logged in before, then send an email to ipads@desalesmedia.org and copy ctn@desalesmedia.org and your principal and we will contact Apple to have them create an account for you (this usually takes 3-5 days).
Could I create an account for DeSales Media in my school's Apple School Manager?
Yes! We recommend that because it makes another backup account in the event everyone at your school forgets their password. Also, someone at DeSales can update your VPP token when needed, or help you with any issues related to deploying apps.
We need to create an account in @desalesmedia.org for you to use; please send an email to ipads@desalesmedia.org and let us know you would like to create an ASM account for us and we will respond with the details. Once you have it, you can follow these steps:
- Login to Apple School Manager.
- Click Accounts
- Click the Add New Account button (plus-sign icon at the top)
- First Name: DeSales
- Last Name: Media
- Managed Apple ID: asm-XXXX and in the box to the right, select appleid.yourdomain.org (replace the XXXX with the info we email to you)
- Role: Administrator
- Email Address: asm-XXXX@desalesmedia.org (we will email you with the address)
- Click Save
- Click on the new account that was just created and then click "Create Sign-In" (on the right side under the name) and choose Email.
What is my school's Apple Customer Number?
This is a six or seven digit number assigned by Apple. Even if your school doesn't have an Apple School Manager account, you probably do have an Apple Customer Number. Send an email to ipads@desalesmedia.org and we can probably look it up for you.
I forgot my password to login to Apple School Manager.
Anyone else at your school who has a login to Apple School Manager can reset your account (as long as they have admin privileges). Your principal probably has an account. For security reasons, Apple makes it very difficult for you to reset this password. You can expect it to take at least a week. If no one at your school is able to login, call Apple Deployment Programs Support at 866-902-7144. They should at least be able to point you in the right direction. If they are unable to resolve it, ask them for a case number and email that case number to ipads@desalesmedia.org and copy ctn@desalesmedia.org and your principal and we will contact Apple to begin the process to reset the password on your account.
How do I purchase or download apps from Apple School Manager?
First, make sure you can login to Apple School Manager and that you have imported the VPP token into Workspace ONE. Click Apps and Books on the left navigation bar. If you do not see Apps and Books in the list, your account probably does not have permissions to download apps. Ask your principal to grant your account the necessary permissions.
Enter the app name in the Search box, and then click on the name of the app. Select a location, enter a quantity, and click Get.
Apple School Manager will automatically synchronize your purchased apps with Workspace ONE about once every 24 hours. However, you can force this synchronization to happen immediately by logging into Workspace ONE, click on Apps and Books (in the navigation bar on the left), then click Applications, Native, Purchased, and then click Sync Assets.
If you do not see your app listed, the most likely reason is that the VPP token is either not installed or has expired.
I received an email from Apple with the subject line: Verify ownership of domain...
This is not optional. Follow these instructions to add the required TXT record to the DNS configurations for your domain. If you do not know how to add these records, please send an email to ipads@desalesmedia.org and we will be happy to help.
What is a VPP token and how is it used?
The VPP token is what links Apple School Manager (ASM) to Workspace ONE - any apps you download in ASM will appear in Workspace ONE and can be deployed to iPads. VPP tokens are good for one year and then they must be renewed. VPP stands for Volume Purchase Program. Prior to November of 2019, VPP tokens were generated using iTunes, but since then they are managed with Apple School Manager.
How do I install a VPP token for the first time?
Export the server token from Apple School Manager (ASM):
- Login at https://school.apple.com
- Click Settings (lower left corner)
- Click Apps & Books (the first time you go there you will need to click Get Started, choose your Location, and click Agree to the Terms & Conditions; if you do not see Apps & Books, let me know)
- In the section called "My Server Tokens" click Download.
- Save the File. This is known as the "sToken"
Import this token into Workspace ONE:
- Login at https://cn420.awmdm.com/AirWatch/Login
- Click Groups & Settings (lower left)
- Click All Settings, Devices & Users, Apple, VPP Managed Distribution
- Click in the radio button to select Override at the top of the page
- Enter a Description (it doesn't matter what you enter, but you cannot leave it blank)
- Click the Upload button to the right of the sToken field.
- Click Choose File, select the file, click Save, and Save (you may need to scroll down or make your window larger to see it)
- The date next to Valid Until should have changed to a later date (about one year from now)
How do I renew my VPP token?
VPP tokens expire one year after they are issued. You do not need to wait until your token expires to renew it. Once you download a token from Apple School Manager, it invalidates the previous token, so be sure to import it into Workspace ONE right away. If your VPP token expires, your apps will still function normally, but you will not be able to deploy new apps until you renew the token.
Export the server token from Apple School Manager (ASM):
- Login at https://school.apple.com
- Click Settings (lower left corner)
- Click Apps & Books
- In the section called "My Server Tokens" click Download.
- Save the File. This is known as the "sToken"
Import this token into Workspace ONE:
- Login at https://cn420.awmdm.com/AirWatch/Login
- Click Groups & Settings (lower left)
- Click All Settings, Devices & Users, Apple, VPP Managed Distribution
- Click the Renew button at the lower right corner of the screen (you may need to scroll down or make your window larger to see it)
- Select the file, click Save, and Save (you may need to scroll down or make your window larger to see it)
- The date next to Valid Until should have changed to a later date (about one year from now)